Privacy in Mobile Technology for Personal Healthcare SASIKANTH AVANCHA and AMIT BAXI, Intel Labs Bangalore DAVID KOTZ, Dartmouth College Information technology can improve the quality, efficiency, and cost of healthcare. In this survey, we examine the privacy requirements of mobile computing technologies that have the potential to transform healthcare. Such mHealth technology enables physicians to remotely monitor patients’ health and enables individuals to manage their own health more easily. Despite these advantages, privacy is essential for any personal moni- 3 toring technology. Through an extensive survey of the literature, we develop a conceptual privacy framework for mHealth, itemize the privacy properties needed in mHealth systems, and discuss the technologies that could support privacy-sensitive mHealth systems. We end with a list of open research questions. Categories and Subject Descriptors: A.1 [Introductory and Survey]; J.3 [Life and Medical Sciences]: Medical information systems; health; K.4.1 [Computers and Society]: Public Policy Issues—Privacy General Terms: Security, Legal Aspects, Human Factors Additional Key Words and Phrases: Privacy framework, medicine, electronic health record, personal health record, home healthcare, mobile healthcare, mHealth, e-health, HIPAA ACM Reference Format: Avancha, S., Baxi, A., and Kotz, D. 2012. Privacy in mobile technology for personal healthcare. ACM Comput. Surv. 45, 1, Article 3 (November 2012), 54 pages. DOI = 10.1145/2379776.2379779 http://doi.acm.org/10.1145/2379776.2379779 1. INTRODUCTION Healthcare information technology (IT) has huge potential to improve healthcare qual- ity, improve efficiency, and reduce cost, and is currently on the cusp of major innova- tions and widespread deployment in the US and elsewhere. Its potential may best be described by a quote from the chairs of three leading healthcare policy and standards groups in the US. “Our vision is one of a 21st century health system in which all health infor- mation is electronic, delivered instantly and securely to individuals and their care providers when needed, and capable of analysis for constant improve- ment and research. With better information upon which to base decisions, the challenging process of health reform can successfully proceed—measuring This research results from a program at the Institute for Security, Technology, and Society at Dartmouth College, supported by Intel Corporation, by NSF Trustworthy Computing award 0910842, and by the De- partment of Health and Human Services (SHARP program) under award number 90TR0003-01. Portion of this work appear in workshop papers presented at SPIMACS 2009 and NetHealth 2011. Authors’ names are listed alphabetically. Authors’ addresses: S. Avancha and A. Baxi, Intel Labs Banglore, #23-56p, Devarabeesanahalli, Outer Ring Road, Varthur Hobli, Bangalore South Taluk, Bangalore 560 037 India; D. Kotz, Dartmouth College, 6211 Sudikoff Lab, Hanover, NH 03755. Contact author: David Kotz; email: [email protected]. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies show this notice on the first page or initial screen of a display along with the full citation. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212) 869-0481, or [email protected]. c 2012 ACM 0360-0300/2012/11-ART3 $15.00 DOI 10.1145/2379776.2379779 http://doi.acm.org/10.1145/2379776.2379779 ACM Computing Surveys, Vol. 45, No. 1, Article 3, Publication date: November 2012. 3:2 S. Avancha et al. quality, rewarding value, engaging individuals—and lead the way to better health for all Americans.” [Halamka et al. 2009] In this survey, we specifically examine the privacy challenges involved in mobile computing and communications technologies. Such mHealth technology [mH 2009] ap- pears promising in many ways: enabling physicians to remotely monitor their patients’ health and improve the quality of healthcare, enabling patients to manage their health more easily, and reducing the cost of care by allowing patients to spend less time in the hospital or make fewer visits to their doctor. In mHealth, Mobile Internet Devices (MIDs), connected wirelessly to wearable, portable, and even embeddable sensors, will enable long-term continuous medical monitoring for many purposes [Baker et al. 2007; Boric-Lubecke and Lubecke 2002; Varshney 2007]: for outpatients with chronic medical conditions (such as diabetes), individuals seeking to change behavior (such as losing weight), physicians needing to quantify and detect behavioral aberrations for early diagnosis (such as depression), or athletes wishing to monitor their condition and performance. In this article, we use the term “Patient” to describe the subject of sensing in all such use cases, using the capitalized form as a reminder of its broader meaning. We expect MIDs, such as smart phones, to contain the technology and applications needed to process sensor data and enable their appropriate use. The resulting data may be used directly by the Patient [AC 2008; AH 2008; Wang et al. 2006] or may be shared with others: with a physician for treatment [SH 2008], with an insurance company for coverage, with a scientist for research [DH 2008], with a coach for athletic training [Aylward and Paradiso 2007], or with family members and friends in social-networking communities targeted towards health and wellness [OW 2009; DS 2009, e.g.]. The term “mHealth” applies broadly to the use of mobile technology in healthcare applications. In this article, however, we focus on patient-centered technology, as de- scribed in the previous examples and the detailed scenarios that follow. There are, of course, valuable uses of mobile technology in other aspects of healthcare delivery and management, including personal communication devices used by clinicians, inventory- control systems for medical equipment and consumables, and telemedicine platforms for emergency response or remote rural healthcare. Some of the issues we raise occur in such settings, but we do not directly address them here. 1.1. The Challenge Although mHealth systems may indeed improve quality of healthcare and quality of life, they also generate new security and privacy issues [Al Ameen et al. 2010; Giannetsos et al. 2011]. The technology goal should be to develop usable devices that respect Patient privacy while also retaining the data quality and accessibility required for the medical uses of the data. In this article, we focus on privacy; specifically, we wish to give the Patient control over the data that is collected and to whom it is disclosed, and to recognize that different situations may require different responses. Indeed, we note that control, not possession or ownership, is fundamental to privacy.1 Privacy means that the Patient retains control even when the data is “owned” by another party (as is common in medical records maintained by a hospital) and even after a copy of the data has been provided to another party (as when billing records are shared with an insurance company). Given our focus on privacy, it is essential that we define it clearly for the context of healthcare. Fortunately, others have thought deeply about this issue; we adopt the 1Some researchers in the field of healthcare information privacy have a different opinion [Nissenbaum 2004], but the notion of privacy as information-control is common and (as we show in the next paragraph) the core of the definition used by an important advisory committee. ACM Computing Surveys, Vol. 45, No. 1, Article 3, Publication date: November 2012. Privacy in Mobile Technology for Personal Healthcare 3:3 definition selected by the National Committee for Vital and Health Statistics (NCVHS), a key advisory committee to the US Department of Health and Human Services. “Health information privacy is an individual’s right to control the acquisition, uses, or disclosures of his or her identifiable health data. Confidentiality, which is closely related, refers to the obligations of those who receive information to respect the privacy interests of those to whom the data relate. Security is altogether different. It refers to physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access or disclosure” [Cohn 2006]. We also follow NCVHS and define PHI as “personal health information” rather than “protected health information”, which is a phrase that has specific meaning in a HIPAA context [Choi et al. 2006]. Clearly, privacy is important in any healthcare information system. What is different or especially challenging about mHealth privacy? First, mHealth allows for the collec- tion of far more medical data about the Patient, as many mHealth devices collect data continuously over extended periods of time. (For example, it is possible to record ECG data continuously for weeks, throughout daily life, rather than a one-minute recording taken in the clinic every other week.) Second, mHealth allows much broader range of health-related information to be collected, not just physiological data; many mHealth applications will collect information about Patient lifestyle and activities (such as food habits and diet details, location tracks, physical activity, or social interactions). Third, mHealth will enable a broad range of health-related applications: sharing data with your health provider, as in a traditional doctor relationship, but also sharing data with an insurance company (e.g., to confirm compliance with a medication regimen), with lifestyle coaches (e.g., diet advisers), with athletic coaches (e.g., sports teams or health-club trainers), or with family (e.g., to support a relative’s recovery from surgery).